Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: JMXProxy


  1. How do I use OpenSSL to set up my own Certificate Authority (CA)?
  2. Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!
  3. What about Tomcat running as root?
  4. How do I force all my pages to run under HTTPS?
  5. What is the default login for the manager and admin app?
  6. How do I restrict access by ip address or remote host?
  7. How do I use jsvc/procrun to run Tomcat on port 80 securely?
  8. Has Tomcat's security been independently analyzed or audited?
  9. How do I change the Server header in the response?
  10. Why are passwords in plain text?
  11. How can I restrict the list of ciphers used for HTTPS?
  12. Which cipher suites should I use?
  13. Is Tomcat affect by Log4Shell CVE-2021-44228?
  14. I found a vulnerability in JMXProxy


How do I use OpenSSL to set up my own Certificate Authority (CA)?


More details on these CVE's via the ASF blog

I found a vulnerability in JMXProxy

JMXProxy is a powerful servlet which has full access to all JMX capabilities. By design, enabling it opens you to a lot of security challenges. The equivalent of enabling generic remote JMX access at the JVM level.

With that in mind, if you enable it: You should at a minimum require an extremely strong password to protect this URL as well restrict the IP client list which may access it. (Ideally restricting it to localhost if possible)